FTC: Mobile Apps Haven't Come Clean on Use of Kids' Data

The FTC is jangling a few nerves in the mobile app development world with its announcement of several investigations over possible violations of COPPA, the law designed to protect children's privacy online. The probes come as the agency considers adjusting rules promulgated under the law. "My concern is every time the FTC has expanded COPPA, it has pushed into new areas," said ITIF's Daniel Castro.

By Erika Morphy
12/11/12 9:20 AM PT

The Federal Trade Commission leaves no doubt about its view of the mobile app industry's efforts to protect children online with its latest report: "Mobile Apps for Kids -- Disclosures Still Not Making the Grade."

The report reveals the results of a follow-up survey to a February report that found disclosures were lacking in mobile apps aimed at children. In that earlier report, the FTC called on all members of the children app ecosystem -- app stores, developers, and third parties that interact with the apps -- to provide greater transparency about their data practices.

The follow-up survey examined the privacy disclosures apps provided and tested the apps' practices, compared to the disclosures made. It determined that many apps had interactive features or shared information with third parties without disclosures to parents.

The FTC is now launching multiple nonpublic investigations to determine whether mobile app developers have violated the Children's Online Privacy Protection Act or engaged in unfair or deceptive trade practices in violation of the FTC Act.

Separately, the FTC is gearing up to decide on proposed new rules for children's privacy under the COPPA law. That vote will come either later this month or in early 2013.

"This is creating concerns about how the rules will affect the rest of Internet users, not just children," he told the E-Commerce Times.

When COPPA was passed, Castro noted, the FTC was tasked with two missions: Protect the privacy of children, and preserve innovation in digital content aimed at children.

The agency has fallen down on the innovation issue, he said. "The FTC is not looking out for how to enable robust growth. There were a lot of sites available 12 years ago for children that have gone out of business because they weren't able to survive without targeted advertising."

There's nothing in the latest report that indicates the FTC found harm was caused to children in a quantifiable or meaningful way, Castro maintained.

Different Tactics for the FTC

This report could set a new precedent for the FTC, Mary Ellen Callahan, chair of
Jenner & Block's privacy and information governance practice, told the E-Commerce Times.

"This report is the first time that the FTC is using its research surveys to influence regulation," she said.

"By that I mean this report has been issued much earlier than the sequence of reports that FTC usually does," Callahan continued. "It is unusual for the FTC to conduct a survey less than a year before the last survey was conducted."

It is also unusual that the report assumes that device ID is personal information, and that mobile app developers should inform users when this information is disclosed to third parties, she said.

"Given that the FTC hasn't modified COPPA regulations, there is no basis on which mobile app developers would have done that. My worry is that this report will justify proposed changes to regulations in a way that the FTC hasn't done before," explained Callahan.

"This survey was designed to promote 'best practices' by all participants in the mobile app marketplace -- including app developers, app stores, and the third parties that obtain information through apps -- and should not be read to make any statements or predictions about the COPPA rulemaking," FTC spokesperson Cheryl Hackley told the E-Commerce Times.

Mobile Device ID Questions

Mobile device identification is one of the points on which COPPA may be changed, according to Alan Friel, a partner at
Edwards Wildman Palmer.

One of those proposed changes would be to deem persistent identifiers, such as mobile device identifiers or browser identifiers, as personal information. That would necessitate obtaining verified parental consent before collecting and using it for anything other than internal operations, Friel said -- and it would require advance consent before sharing with third party ad networks.

The change in regulation could also morph into a backdoor, with the definition of personal information expanded to include persistent identifiers regardless of age, he continued.

The FTC seems to be moving toward imposing restrictions on what the advertising industry can do with identifiers in the absence of consumer choice, said Friel.

That may not be such a bad thing, from the perspective of child safety advocates.

"The privacy issues of these apps is not just an issue for kids, but all mobile app users," said Lynette Owens, founder and global director of
Trend Micro's Internet Safety for Kids and Families program.

"We need a 'stamp of approval' that makes it clear which apps best maintain the user's privacy," she told the E-Commerce Times.

"Parents are faced with so many app choices for their kids," Owens emphasized. "We need to develop the appropriate terminology to recognize apps that have passed the test."